From e101f6b4ca824f8bf4b0bbf376ff6ced9378271e Mon Sep 17 00:00:00 2001 From: Mickaël Salaün Date: Tue, 5 Jan 2021 20:19:49 +0100 Subject: sys/linux: add Landlock syscalls MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Based on Linux next-20210319: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=f00397ee41c79b6155b9b44abd0055b2c0621349 Co-developed-by: Vincent Dagonneau Signed-off-by: Vincent Dagonneau Signed-off-by: Mickaël Salaün --- sys/linux/landlock.txt | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 sys/linux/landlock.txt (limited to 'sys/linux/landlock.txt') diff --git a/sys/linux/landlock.txt b/sys/linux/landlock.txt new file mode 100644 index 000000000..c3d03d96a --- /dev/null +++ b/sys/linux/landlock.txt @@ -0,0 +1,21 @@ +# Copyright 2021 syzkaller project authors. All rights reserved. +# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +include + +resource fd_ruleset[fd] + +landlock_create_ruleset(attr ptr[in, landlock_ruleset_attr], size bytesize[attr], flags const[0]) fd_ruleset +landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(ruleset_fd fd_ruleset, rule_type const[LANDLOCK_RULE_PATH_BENEATH], rule_attr ptr[in, landlock_path_beneath_attr], flags const[0]) +landlock_restrict_self(ruleset_fd fd_ruleset, flags const[0]) + +landlock_ruleset_attr { + handled_fs_access flags[landlock_access_flags, int64] +} + +landlock_path_beneath_attr { + allowed_access flags[landlock_access_flags, int64] + parent_fd fd +} [packed] + +landlock_access_flags = LANDLOCK_ACCESS_FS_EXECUTE, LANDLOCK_ACCESS_FS_MAKE_BLOCK, LANDLOCK_ACCESS_FS_MAKE_CHAR, LANDLOCK_ACCESS_FS_MAKE_DIR, LANDLOCK_ACCESS_FS_MAKE_FIFO, LANDLOCK_ACCESS_FS_MAKE_REG, LANDLOCK_ACCESS_FS_MAKE_SOCK, LANDLOCK_ACCESS_FS_MAKE_SYM, LANDLOCK_ACCESS_FS_READ_DIR, LANDLOCK_ACCESS_FS_READ_FILE, LANDLOCK_ACCESS_FS_REMOVE_DIR, LANDLOCK_ACCESS_FS_REMOVE_FILE, LANDLOCK_ACCESS_FS_WRITE_FILE -- cgit mrf-deployment